SQL Injection
Results 1 to 5 of 5

Thread: SQL Injection

  1. #1
    Junior Member
    Join Date
    Apr 2006
    Posts
    20

    Question SQL Injection

    So I am teaching myself some new security penetration testing stuff and 1 think that I am not good at is SQL injection. So I create a lab environment with a window computer running LAMP. (I know that I should use Linux but our lab didn’t have any test Linux boxes. They are in production)

    So I create a MYSql database and web page to try and learn MYSql injections. I am writing the page in PHP because I know it and that looks to be a problem. Every time I send in a character in the login form (something that I made), the entry gets slashes.


    ‘ = \’
    “ = \”
    \n = \\n


    So on and so forth.

    How can I fool PHP with SQL injections. This is for learning only.


    Thanks
    Jive Lady: Jus\' hang loose, blood. She gonna catch ya up on da\' rebound on da\' med side.
    Second Jive Dude: What it is, big mama? My mama no raise no dummies. I dug her rap!
    Jive Lady: Cut me some slack, Jack! Chump don\' want no help, chump don\'t GET da\' help! Jive ass dude don\'t got no brains anyhow! Hmmph!

  2. #2
    Senior Member
    Join Date
    Jun 2003
    Posts
    236
    what php functions are you using for the queries to mysql?

    fyi: you cant run LAMP on a windows computer it WAMP for j00
    That which does not kill me makes me stronger -- Friedrich Nietzche

  3. #3
    Junior Member
    Join Date
    Apr 2006
    Posts
    20
    Here is my code

    Code:
    <html>
    <head>
    
    <title>Auth</title>
    </head>
    <body>
    
    
    <?
    // $user = $_REQUEST['user'];
    // $user = $_GET['user'];
    $pass = $_REQUEST['pass'];
    
    $user = $HTTP_GET_VARS['user'];
    echo "$user $pass \n";
    
    $host 		= 'localhost';
    $username	= '';
    $password	= '';
    $database	= 'dbLogin';
    
    $connection = mysql_connect($host,$username,$password) or die ("Could not connect to mysql");
    $db = mysql_select_db($database,$connection) or die ("Could not connect to the database");
    
    
    $result=mysql_query("SELECT *  FROM  tbl_auth  WHERE  col_UserName = '{$HTTP_GET_VARS['user']}'");
    
    // $result=mysql_query('SELECT * FROM tbl_auth WHERE col_UserName="'.$_GET['user'].'"');
    
    while($row = mysql_fetch_array($result))
    {
    	echo "$row[ID] $row[col_UserName] $row[col_Password]";
    }
    
    ?>
    </body>
    </html>
    Jive Lady: Jus\' hang loose, blood. She gonna catch ya up on da\' rebound on da\' med side.
    Second Jive Dude: What it is, big mama? My mama no raise no dummies. I dug her rap!
    Jive Lady: Cut me some slack, Jack! Chump don\' want no help, chump don\'t GET da\' help! Jive ass dude don\'t got no brains anyhow! Hmmph!

  4. #4
    Senior Member
    Join Date
    Jun 2003
    Posts
    236
    is magic_quotes_gpc on?

    The PHP directive magic_quotes_gpc is on by default, and it essentially runs addslashes() on all GET, POST, and COOKIE data. Do not use addslashes() on strings that have already been escaped with magic_quotes_gpc as you'll then do double escaping. The function get_magic_quotes_gpc() may come in handy for checking this.

    http://us2.php.net/manual/en/ref.inf...gic-quotes-gpc
    That which does not kill me makes me stronger -- Friedrich Nietzche

  5. #5
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Well, if that really is the code, this isn't the case, but there are functions in PHP to help prevent these kind of attacks, IIRC, mysql_real_escape_string(). You might could try altering it a bit instead of using ' use maybe %27 or double unicode enocde? Probably won't work, but regardless, the point of SQL Injection is to add/modify the SQL query, so start thinking about what query you have out there and how you could alter it and you will find that it isn't always necessary to have ' to do a SQL Injection...
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •